CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-3128

CVSS 9.4v3.1pub. 2023-06-22upd. 2025-02-13

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Grafana

    APP
    Grafana
    6.7.0 – 8.5.27 (bez)9.2.0 – 9.2.20 (bez)9.3.0 – 9.3.16 (bez)9.4.0 – 9.4.13 (bez)9.5.0 – 9.5.4 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2021-39226CRITICAL9.8⚠ KEVten sam produkt

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated ...

CVE-2026-27876CRITICAL9.1PL ✓ten sam produkt

RCE w Grafana przez SQL Expressions i plugin Enterprise (CVE-2026-27876)

CVE-2025-41115CRITICAL10.0PL ✓ten sam produkt

Grafana Enterprise: privilege escalation przez SCIM provisioning (LPE)

CVE-2024-9264CRITICAL9.4PL ✓ten sam produkt

Grafana: command injection i local file inclusion przez SQL Expressions (duckdb)

CVE-2022-39328CRITICAL9.8ten sam produkt

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less tha...